Article 1 Subject matter and scope

1. This Directive lays down measures with a view to achieving a high common level of security of network and information systems within the Union so as to improve the functioning of the internal market.

2. To that end, this Directive:

(a) lays down obligations for all Member States to adopt a national strategy on the security of network and information systems;

(b) creates a Cooperation Group in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them;

(c) creates a computer security incident response teams network (‘CSIRTs network’) in order to contribute to the development of trust and confidence between Member States and to promote swift and effective operational cooperation;

d) establishes security and notification requirements for operators of essential services and for digital service providers;

(e) lays down obligations for Member States to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems.

3. The security and notification requirements provided for in this Directive shall not apply to undertakings which are subject to the requirements of Articles 13a and 13b of Directive 2002/21/EC, or to trust service providers which are subject to the requirements of Article 19 of Regulation (EU) No 910/2014.

4. This Directive applies without prejudice to Council Directive 2008/114/EC (1) and Directives 2011/93/EU (2) and 2013/40/EU (3) of the European Parliament and of the Council.

5. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where such exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of such exchange. Such exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of operators of essential services and digital service providers.

6. This Directive is without prejudice to the actions taken by Member States to safeguard their essential State functions, in particular to safeguard national security, including actions protecting information the disclosure of which Member States consider contrary to the essential interests of their security, and to maintain law and order, in particular to allow for the investigation, detection and prosecution of criminal offences.

7. Where a sector-specific Union legal act requires operators of essential services or digital service providers either to ensure the security of their network and information systems or to notify incidents, provided that such requirements are at least equivalent in effect to the obligations laid down in this Directive, those provisions of that sector-specific Union legal act shall apply.

Commentary

Cases of conflict between the NIS Directive and further Union legal acts:

 Telecoms Framework and eIDAS Regulation (Art. 1(3)):

Exemptions to the scope of application are stipulated in Article 1(3) NIS Directive relating to the telecoms sector and trust service provider which are subject to the requirements of Art. 19 eIDAS Regulation.

Article 1(3) NIS Directive excludes undertakings providing public communications networks or publicly available electronic communications services, which are subject to the requirements of Articles 13a and 13b Framework Directive, from the security and notification requirements of the NIS Directive. This is due to the fact that Art. 13a Framework Directive provides similar obligations. However, this means in practice that undertakings providing services within the definition of Article 2(a) Directive 2002/21/EC may be identified as OES or DSP, but only  have to comply with the obligations of the NIS Directive for services they provide that are distinct from the provision of public communications networks or electronic communications services (as sector-specific legislation in that regard exists; such services include the services referred to in Annex II

Lex specialis (Art. 1(7)):

Art. 1 (7) regulates the interface between the NIS Directive and other sector-specific EU legislation. It recognises that certain sectors of the economy are already regulated or may be regulated in the future by sector-specific Union legal acts that include rules related to the security of network and information systems. In other words, pre-existing and future sector- or topic-specific legislation shall retain primary applicability in the sense of lex specialis, so that at least in principle contradictions between overlapping requirements can be avoided.

 Whenever sector-specific Union legal acts contain provisions imposing requirements concerning the security of network and information systems or notifications of incidents, those provisions should apply if they contain requirements which are at least equivalent in effect to the obligations contained in this Directive (Recital 9). Noteworthy Art. 1(7) only requires that the Union legal act requires the implementation of network and information systems security or the notification of incidents with equivalent effect. It is thus unclear, whether an obligation to ensure the security of network and information systems laid down in a sector-specific Union legal act will suffice for the sector-specific act to gain precedence (cf. Charlotte Ducuing, On the Edge of the NIS Directive: The Proposed C-ITS Delegated Regulation, Friend or Foe?, https://dx.doi.org/10.2139/ssrn.3486978). In contrast to Art. 1(7), Recital 9 refers to the implementation of security measures and notification of incidents.

In determining whether the requirements on the security and the notification of incidents contained in sector-specific Union legal acts are equivalent to those contained in this Directive, regard should only be paid to the provisions of relevant Union legal acts and their application in the Member States (Recital 9).

In resolving the conflict or assessing the equivalent effect, the nature of the NIS Directive has to be born in mind. The NIS Directive as a Directive requires  implementation into national law at Member State level; thus, any conflict with another Directive would occur at Member State level. In that line assessing the equivalent effect of a Regulation with the NIS Directive means in any case that the Regulation would prevail by its nature over Member State law (cf. with regard to the relationship between the NIS Directive and the GDPR: Dimitra Markopoulou, Vagelis Papakonstantinou, Paul de Hert, The new EU Cybersecurity Framework: The NIS Directive, ENISA’s Role and the General Data Protection Regulation, Computer Law & Security Review 35 (6) [2019] 105336).

If equivalent effect can be established, Member States should apply the provisions of the sector-specific Union legal act, including those relating to jurisdiction. In addition, they should not carry out the identification process for operators of essential services as defined by the NIS Directive (Recital 9). Recital 9 clarifies that in this case, the Member State should provide information to the Commission on the application of such lex specialis provisions.

Equivalent effect has so far been established at EU level between Arts. 95 and 96 PSD2 relating to payment service providers and Art. 14 NIS Directive (See European Commission, Communication from the Commission to the European Parliament and the Council, Making the most of NIS – towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, COM/2017/0476 final, Annex I,  p. 37).  Payment service providers are encompassed within Annex II of the NIS Directive as part of the financial services sector. Arts. 95 and 96 PSD2 are lex specialis to the NIS Directive.